Date: Fri, 08 Dec 2000 05:04:57 -0800 From: Julian Elischer <julian@elischer.org> To: Lists Account <lists@security.za.net> Cc: Alwyn Goodloe <agoodloe@gradient.cis.upenn.edu>, freebsd-hackers@FreeBSD.org Subject: Re: Packet Header Filtering Message-ID: <3A30DC79.A5F26525@elischer.org> References: <Pine.BSF.4.21.0012081410050.89544-100000@security.za.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Lists Account wrote:
>
> Look at IPF/IPFW they both have state table stuff in them, and analyzing
> the ip header is done by both as well. I would suggest you hack ipf to do
> what you want if it doesnt do it already.
>
> Cheers
>
> Andrew
>
> On Fri, 8 Dec 2000, Alwyn Goodloe wrote:
>
> > We are about to begin a little project that has the following requiremnet.
> >
> > Perform IP packet filtering in the following way :
> >
> >
> > i) look at an ip packet header. If some conditions are met let the packet pass
> > otherwise reject the packet.
you could hack your chacks into if_fw.c if they are not already supported..
what kinds of checks do you want to do?
Alternatively you could use teh divert sockets to make all packets that
might need filtering, up to a userland process that can do arbitrarily
complicated filtering. If you want a framework with which to start, you could
start with natd and strip out the address translation calls and replace them
with your filtering calls.
OR you could catch packets at the ethernet using netgraph and either
write a loadable netgraph module that does your filtering, or passes
it up to a daemon that can do arbitrary filtering.
it would be easier for us to answer if you said what kind of filtering you
want to do.
> >
> >
> > ii) Look at ip packet headers of established connections and when certain
> > conditions are met tear down the connection.
> >
> >
> > Obviously this isn't the kind of thing we will be using the usual
> > firewall software, at least not as I understand the software. What I
> > want to know from you FreeBSD hackers is:
> >
> > i) if anyone has done something similar do you have any advice.
> > ii) Anyone know where I should start hacking. Would it be best to try to
> > hack the firewall code or the ipforwarding code....
> >
> > Any such advise would be helpful.
> >
> >
> > Alwyn Goodloe
> > agoodloe@gradient.cis.upenn.edu
> >
>
--
__--_|\ Julian Elischer
/ \ julian@elischer.org
( OZ ) World tour 2000
---> X_.---._/ presently in: Budapest
v
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A30DC79.A5F26525>